Merge pull request #1194 from equinor/master

Release RBAC Cleanup
equinor · Sep 20, 2024 · 10a7dba · 10a7dba
2 parents ea5dcff + f8f9ed6
commit 10a7dba
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 33 deletions.
diff --git a/charts/radix-operator/Chart.yaml b/charts/radix-operator/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: radix-operator
-version: 1.39.0
-appVersion: 1.59.1
+version: 1.39.2
+appVersion: 1.59.2
 kubeVersion: ">=1.24.0"
 description: Radix Operator
 keywords:

diff --git a/charts/radix-operator/templates/radix-apps-rbac.yaml b/charts/radix-operator/templates/radix-apps-rbac.yaml
@@ -37,17 +37,6 @@ rules:
   - watch
   - patch
   - create
-# Remove as part of https://equinor.atlassian.net/browse/RA-725
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - get
-  - list
-  - watch
-  - patch
-  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -133,7 +122,13 @@ rules:
   verbs:
   - get
   - list
-
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/pkg/apis/deployment/oauthproxyresourcemanager.go b/pkg/apis/deployment/oauthproxyresourcemanager.go
@@ -483,7 +483,6 @@ func (o *oauthProxyResourceManager) createOrUpdateRbac(ctx context.Context, comp
 
 func (o *oauthProxyResourceManager) createOrUpdateAppAdminRbac(ctx context.Context, component v1.RadixCommonDeployComponent) error {
 	secretName := utils.GetAuxiliaryComponentSecretName(component.GetName(), defaults.OAuthProxyAuxiliaryComponentSuffix)
-	deploymentName := utils.GetAuxiliaryComponentDeploymentName(component.GetName(), defaults.OAuthProxyAuxiliaryComponentSuffix)
 	roleName := o.getRoleAndRoleBindingName("radix-app-adm", component.GetName())
 	namespace := o.rd.Namespace
 
@@ -493,7 +492,6 @@ func (o *oauthProxyResourceManager) createOrUpdateAppAdminRbac(ctx context.Conte
 		roleName,
 		radixlabels.ForAuxComponent(o.rd.Spec.AppName, component),
 		kube.ManageSecretsRule([]string{secretName}),
-		kube.UpdateDeploymentsRule([]string{deploymentName}),
 	)
 
 	err := o.kubeutil.ApplyRole(ctx, namespace, role)

diff --git a/pkg/apis/deployment/oauthproxyresourcemanager_test.go b/pkg/apis/deployment/oauthproxyresourcemanager_test.go
@@ -410,22 +410,17 @@ func (s *OAuthProxyResourceManagerTestSuite) Test_Sync_OAuthProxyRbacCreated() {
 	expectedRoles := []string{fmt.Sprintf("radix-app-adm-%s", utils.GetAuxiliaryComponentDeploymentName(componentName, defaults.OAuthProxyAuxiliaryComponentSuffix)), fmt.Sprintf("radix-app-reader-%s", utils.GetAuxiliaryComponentDeploymentName(componentName, defaults.OAuthProxyAuxiliaryComponentSuffix))}
 	expectedLabels := map[string]string{kube.RadixAppLabel: appName, kube.RadixAuxiliaryComponentLabel: componentName, kube.RadixAuxiliaryComponentTypeLabel: defaults.OAuthProxyAuxiliaryComponentType}
 	expectedSecretName := utils.GetAuxiliaryComponentSecretName(componentName, defaults.OAuthProxyAuxiliaryComponentSuffix)
-	expectedDeploymentName := utils.GetAuxiliaryComponentDeploymentName(componentName, defaults.OAuthProxyAuxiliaryComponentSuffix)
 
 	actualRoles, _ := s.kubeClient.RbacV1().Roles(envNs).List(context.Background(), metav1.ListOptions{})
 	s.ElementsMatch(expectedRoles, getRoleNames(actualRoles))
 
 	admRole := getRoleByName(fmt.Sprintf("radix-app-adm-%s", utils.GetAuxiliaryComponentDeploymentName(componentName, defaults.OAuthProxyAuxiliaryComponentSuffix)), actualRoles)
 	s.Equal(expectedLabels, admRole.Labels)
-	s.Len(admRole.Rules, 2)
+	s.Len(admRole.Rules, 1)
 	s.ElementsMatch([]string{""}, admRole.Rules[0].APIGroups)
 	s.ElementsMatch([]string{"secrets"}, admRole.Rules[0].Resources)
 	s.ElementsMatch([]string{expectedSecretName}, admRole.Rules[0].ResourceNames)
 	s.ElementsMatch([]string{"get", "update", "patch", "list", "watch", "delete"}, admRole.Rules[0].Verbs)
-	s.ElementsMatch([]string{"apps"}, admRole.Rules[1].APIGroups)
-	s.ElementsMatch([]string{"deployments"}, admRole.Rules[1].Resources)
-	s.ElementsMatch([]string{expectedDeploymentName}, admRole.Rules[1].ResourceNames)
-	s.ElementsMatch([]string{"update"}, admRole.Rules[1].Verbs)
 
 	readerRole := getRoleByName(fmt.Sprintf("radix-app-reader-%s", utils.GetAuxiliaryComponentDeploymentName(componentName, defaults.OAuthProxyAuxiliaryComponentSuffix)), actualRoles)
 	s.Equal(expectedLabels, readerRole.Labels)

diff --git a/pkg/apis/kube/roles.go b/pkg/apis/kube/roles.go
@@ -144,17 +144,6 @@ func ReadSecretsRule(secretNames []string) RuleBuilder {
 	}
 }
 
-func UpdateDeploymentsRule(deployments []string) RuleBuilder {
-	return func() rbacv1.PolicyRule {
-		return rbacv1.PolicyRule{
-			APIGroups:     []string{"apps"},
-			Resources:     []string{"deployments"},
-			ResourceNames: deployments,
-			Verbs:         []string{"update"},
-		}
-	}
-}
-
 func CreateAppRole(appName, roleName string, customLabels map[string]string, ruleBuilders ...RuleBuilder) *rbacv1.Role {
 	role := &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{